A Different Cybersecurity Training

A quick survey of Cybersecurity education options recently got me thinking about about InfoSec education for busy Managers and Executives. Are we leaving out the real-world SMB managers and executives? Are we missing something?

I think it's like when computers were first introduced. I graduated college with a Computer Science degree and people would say "I hear you work with computers". But by the 1990's personal computers were being used everywhere and the distinction became "I am a programmer" or "I work for a computer manufacturer" or "I train users" and so on.  

It's the same way now with Information Security, and Cybersecurity Training specifically. Of course there is SAT (awareness training) that everyone in a company needs. It focuses on things like password management, cyber hygiene, phishing, physical access, good habits, etc. Very worthwhile.

And then there is more technical InfoSec training for security professionals that leads to industry-recognized certifications like Security+, CISSP, and CEH. More detailed, more concrete, than executive-level training.

And now more recently, security topics and processes that are really management-oriented have been organized into "Management Training" or "Executive Training". Is there a bias toward big corporations?

Last year I attained a CISM (Certified Information Security Manager) certification. Its focus is more on governance, planning, organization, documentation, processes, approvals, and data security concepts. It was very broad, but it essentially focuses on the question "Can you create and manage an enterprise data security program?". 

I was kicking around some ideas with a UK professional education company last year, and I took a look at a course they offered "for the boardroom". It was a special in-person course for executives (and those with a generous big-company budget!).  I read through their syllabus, and it was basically identical to the CISM outline and prep materials. They were really just copying what was already out there, in its totality rather than as a starting point. And it was a very short course that ran only one day. By my count, it covered seventeen topics in one day.

Last year a UK university asked me to create and present a 15-minute introduction to Cyber Security. 15 minutes! I still have the four-page write-up I created, and I occasionally share it with people, but you can't really do much when you don't allocate enough time.  It's not really a great overview.

Let's think outside the box for a moment. What could we (InfoSec professionals) be offering as far as training for managers and executives at small-to-medium companies? Can we help reduce the changes of a successful cyber attack or data breach?

If I was tasked with creating an up-to-date executive-level Information Security course, targeted at companies of ALL sizes, I would take the following approach:

1. Start with the CISM outline and information, which has good content and useful documents like a Charter, an ISP (Information Security Policy) , an Asset Inventory, and several others.

2. Ask "what can we reasonably remove from the CISM outline in the name of brevity"?

3. Ask "What can we add to the course from SAT (user training) that makes sense for executives"?

4. Ask "What can we add from the Security+ and CEH outlines that fits our mission and is not too technical"?

5. Add some ideas targeted at small and medium organizations and businesses. In my opinion, this is something that is lacking in CISM. 

6. Add a section at the end of the course entitled "What you can do right now". What are the 5 (or 10) steps the execs can take immediately to start reducing their risk of ransomware, destructive attacks and data breaches. Yes, this is the "low hanging fruit". This take-away is the most important part of the course, in my mind. 

And I would put most or all of the course online to increase access. (OK, I am biased toward online education because I am in that business - learning technology. But it could be done in person as well.)

Scott Cochran is a strategist and solution developer, with additional information and free downloads available at www.flex-protection.com